If I could, that's exactly how I'd do it. Unfortunately, like I said, we are not allowed to clear the logs on these systems - they have to remain there locally. We can't do anything except read them.
Believe me, I'd love to be able to use your suggestion, because it would solve this whole issue very quickly. But we're limited to a strict "look, don't touch" policy... On Aug 1, 5:50 pm, Michael Starks <[email protected]> wrote: > On 08/01/2011 05:55 PM, Alisha Kloc wrote: > > > Unfortunately, we can't make any changes to the HP-UX system, which > > means no cron jobs, no clearing logs, etc. All we're allowed to touch > > is OSSEC agent stuff. Within that, I have some flexibility if I use > > the process monitor to call a simple shell script, which allows > > consecutive commands like you suggested, but anything beyond that > > isn't allowed. > > How about something like 'command-to-read btmp' && 'cat /dev/null > > /path/to/btmp_file' in the ossec command. I don't know if the system > wouldn't like that and there is the unfortunate consequence of not > having the logs locally, but it seems like it would give you only new > entries, which you could then do the check_diff on. Run this every > minute or so and it would be semi-real time. > > -Mike
